Merge pull request #2736 from brandonpayton/add-regex-match-limits-and-error-reporting

Add isolated PCRE match limits as a layer of ReDoS defense
2025-12-31 21:59:11 +03:00 · 2023-05-09 06:09:28 -07:00
parent 62bbd7b078 d875738bdb
commit 09a135baab
19 changed files with 7998 additions and 7527 deletions
--- a/src/parser/location.hh
+++ b/src/parser/location.hh
@@ -1,4 +1,4 @@
-// A Bison parser, made by GNU Bison 3.7.6.
+// A Bison parser, made by GNU Bison 3.8.2.

 // Locations for Bison parsers in C++

--- a/src/parser/position.hh
+++ b/src/parser/position.hh
@@ -1,4 +1,4 @@
-// A Bison parser, made by GNU Bison 3.7.6.
+// A Bison parser, made by GNU Bison 3.8.2.

 // Starting with Bison 3.2, this file is useless: the structure it
 // used to define is now defined in "location.hh".
--- a/src/parser/seclang-parser.cc
+++ b/src/parser/seclang-parser.cc
--- a/src/parser/seclang-parser.hh
+++ b/src/parser/seclang-parser.hh
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@@ -184,6 +184,8 @@ class Driver;
 #include "src/variables/matched_vars.h"
 #include "src/variables/matched_vars_names.h"
 #include "src/variables/modsec_build.h"
+#include "src/variables/msc_pcre_error.h"
+#include "src/variables/msc_pcre_limits_exceeded.h"
 #include "src/variables/multipart_boundary_quoted.h"
 #include "src/variables/multipart_boundary_whitespace.h"
 #include "src/variables/multipart_crlf_lf_lines.h"
@@ -368,6 +370,8 @@ using namespace modsecurity::operators;
  VARIABLE_INBOUND_DATA_ERROR   "INBOUND_DATA_ERROR"
  VARIABLE_MATCHED_VAR          "MATCHED_VAR"
  VARIABLE_MATCHED_VAR_NAME     "MATCHED_VAR_NAME"
+  VARIABLE_MSC_PCRE_ERROR           "MSC_PCRE_ERROR"
+  VARIABLE_MSC_PCRE_LIMITS_EXCEEDED "MSC_PCRE_LIMITS_EXCEEDED"
  VARIABLE_MULTIPART_BOUNDARY_QUOTED
  VARIABLE_MULTIPART_BOUNDARY_WHITESPACE
  VARIABLE_MULTIPART_CRLF_LF_LINES    "MULTIPART_CRLF_LF_LINES"
@@ -1648,10 +1652,10 @@ expression:
        YYERROR;
 */
    | CONFIG_DIR_PCRE_MATCH_LIMIT
-/* Parser error disabled to avoid breaking default installations with modsecurity.conf-recommended
-        driver.error(@0, "SecPcreMatchLimit is not currently supported. Default PCRE values are being used for now");
-        YYERROR;
-*/
+      {
+        driver.m_pcreMatchLimit.m_set = true;
+        driver.m_pcreMatchLimit.m_value = atoi($1.c_str());
+      }
    | CONGIG_DIR_RESPONSE_BODY_MP
      {
        std::istringstream buf($1);
@@ -2321,6 +2325,14 @@ var:
      {
        VARIABLE_CONTAINER($$, new variables::MatchedVarName());
      }
+    | VARIABLE_MSC_PCRE_ERROR
+      {
+        VARIABLE_CONTAINER($$, new variables::MscPcreError());
+      }
+    | VARIABLE_MSC_PCRE_LIMITS_EXCEEDED
+      {
+        VARIABLE_CONTAINER($$, new variables::MscPcreLimitsExceeded());
+      }
    | VARIABLE_MULTIPART_BOUNDARY_QUOTED
      {
        VARIABLE_CONTAINER($$, new variables::MultipartBoundaryQuoted());
--- a/src/parser/seclang-scanner.cc
+++ b/src/parser/seclang-scanner.cc
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@@ -186,6 +186,8 @@ VARIABLE_GLOBAL                           (?i:GLOBAL)
 VARIABLE_INBOUND_DATA_ERROR               (?i:INBOUND_DATA_ERROR)
 VARIABLE_MATCHED_VAR                      (?i:MATCHED_VAR)
 VARIABLE_MATCHED_VAR_NAME                 (?i:MATCHED_VAR_NAME)
+VARIABLE_MSC_PCRE_ERROR                   (?i:MSC_PCRE_ERROR)
+VARIABLE_MSC_PCRE_LIMITS_EXCEEDED         (?i:MSC_PCRE_LIMITS_EXCEEDED)
 VARIABLE_MULTIPART_BOUNDARY_QUOTED        (?i:MULTIPART_BOUNDARY_QUOTED)
 VARIABLE_MULTIPART_BOUNDARY_WHITESPACE    (?i:MULTIPART_BOUNDARY_WHITESPACE)
 VARIABLE_MULTIPART_CRLF_LF_LINES          (?i:MULTIPART_CRLF_LF_LINES)
@@ -910,6 +912,8 @@ EQUALS_MINUS                            (?i:=\-)
 {VARIABLE_INBOUND_DATA_ERROR}               { return p::make_VARIABLE_INBOUND_DATA_ERROR(*driver.loc.back()); }
 {VARIABLE_MATCHED_VAR_NAME}                 { return p::make_VARIABLE_MATCHED_VAR_NAME(*driver.loc.back()); }
 {VARIABLE_MATCHED_VAR}                      { return p::make_VARIABLE_MATCHED_VAR(*driver.loc.back()); }
+{VARIABLE_MSC_PCRE_ERROR}                   { return p::make_VARIABLE_MSC_PCRE_ERROR(*driver.loc.back()); }
+{VARIABLE_MSC_PCRE_LIMITS_EXCEEDED}         { return p::make_VARIABLE_MSC_PCRE_LIMITS_EXCEEDED(*driver.loc.back()); }
 {VARIABLE_MULTIPART_BOUNDARY_QUOTED}        { return p::make_VARIABLE_MULTIPART_BOUNDARY_QUOTED(*driver.loc.back()); }
 {VARIABLE_MULTIPART_BOUNDARY_WHITESPACE}    { return p::make_VARIABLE_MULTIPART_BOUNDARY_WHITESPACE(*driver.loc.back()); }
 {VARIABLE_MULTIPART_CRLF_LF_LINES}          { return p::make_VARIABLE_MULTIPART_CRLF_LF_LINES(*driver.loc.back()); }
--- a/src/parser/stack.hh
+++ b/src/parser/stack.hh
@@ -1,4 +1,4 @@
-// A Bison parser, made by GNU Bison 3.7.6.
+// A Bison parser, made by GNU Bison 3.8.2.

 // Starting with Bison 3.2, this file is useless: the structure it
 // used to define is now defined with the parser itself.